Ubuntu.comUB:CVE-2023-22067CVE-2023-22067
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.6%
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
product of Oracle Java SE (component: CORBA). Supported versions that are
affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise
Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows
unauthenticated attacker with network access via CORBA to compromise Oracle
Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access to
some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability can only be exploited by supplying data to APIs in
the specified Component without using Untrusted Java Web Start applications
or Untrusted Java applets, such as through a web service. CVSS 3.1 Base
Score 5.3 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Bugs
Notes
| Author | Note |
|---|---|
| mdeslaur | 8.x only |
| sbeattie | see Oracle OpenJDK-8 release notes discussions around this issue, and the introduced system property com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | openjdk-8 | < 8u392-ga-1~18.04 | UNKNOWN |
| ubuntu | 20.04 | noarch | openjdk-8 | < 8u392-ga-1~20.04 | UNKNOWN |
| ubuntu | 22.04 | noarch | openjdk-8 | < 8u392-ga-1~22.04 | UNKNOWN |
| ubuntu | 23.04 | noarch | openjdk-8 | < 8u392-ga-1~23.04 | UNKNOWN |
| ubuntu | 23.10 | noarch | openjdk-8 | < 8u392-ga-1~23.10 | UNKNOWN |
| ubuntu | 16.04 | noarch | openjdk-8 | < 8u392-ga-1~16.04 | UNKNOWN |
References
launchpad.net/bugs/cve/CVE-2023-22067
nvd.nist.gov/vuln/detail/CVE-2023-22067
security-tracker.debian.org/tracker/CVE-2023-22067
ubuntu.com/security/notices/USN-6528-1
www.cve.org/CVERecord?id=CVE-2023-22067
www.oracle.com/java/technologies/javase/8u391-relnotes.html#JDK-8303384
www.oracle.com/security-alerts/cpuoct2023.html
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.6%